This invention relates to the field of network management, and in particular to a method and system for analyzing and verifying compliance with security policies among devices in a network.
Network security is a continuing concern among network users and network managers. In a secure computer network, to prevent unauthorized access to the network, only a specified set of systems, services, and applications are permitted to use the network. Additionally, within a network, not all systems, services, and applications are permitted to communicate with each other. The term ‘security policy’ is used to identify the connections that should be permitted or denied between network elements.
Certain devices within a network, such as routers and firewalls, can be configured to enforce security policies within the network, and complex security policies may require that multiple devices be compatibly configured.
Verifying that each device in a network is properly configured to effect the intended security policies is a daunting task, particularly in complex networks that include multiple communication paths among network elements. This task is further complicated by the fact that different devices may use different schemes for effecting the same security policy. A security analyst must typically be aware of a variety of vendor-dependent configuration formats and protocols, and must be aware of each configuration setting's effect on the security policy of each connection to the device.
Often, security policy analysis and verification is a ‘hit or miss’ process, with minimal analytical basis. A security analyst reviews configuration settings, corrects any obvious security loopholes, and then verifies security by attempting to send messages to or from a variety of elements on the network. If a message traverses a denied connection, or is blocked from a permitted connection, the cause of the error is determined, the configuration is modified, and the test is repeated.
This hit or miss process is further complicated by the fact that the transit configuration of network devices is often state-dependent. For example, routers that support dynamic configuration, such as Application Layer Packet Inspection, Deep Packet Inspection, and so on, are often configured to enable an incoming connection from an external device only after an outgoing message is sent to that external device. Thus, to effectively test each security policy that is to be applied to a network, the appropriate test sequence would need to be applied to each potential route upon which the communications may transit.
It would be advantageous to provide a method and system for identifying and verifying compliance with security policies within a network. It would also be advantageous to provide a method and system for identifying network configuration data that is inconsistent with intended security policies.
These advantages, and others, can be realized by a method and system that determines all of the transit services that each device is expected to provide, and contrasts these transit services to the transit configuration of each device. Application process sequences of request-response type connections are defined as ‘services’, and the security transit policy defines whether the service is to be permitted or denied between identified device groups. Connection groups identify services between each source and destination group pair, and each of the routes associated with each connection group is determined and configured based on the sequential order of the service items within each service. The configuration of each device along each route is processed to determine the services that will be permitted or denied, based on its current configuration. Each desired service item on the device is compared to the transit security configuration of each device to identify any security inconsistencies or violations.
Throughout the drawings, the same reference numerals indicate similar or corresponding features or functions. The drawings are included for illustrative purposes and are not intended to limit the scope of the invention.